Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.
Postinstall scripts have been the supply-chain attacker's favorite tool for a decade. Here are the sandboxing techniques that actually work, ranked from cheap to serious.
Inspect every lifecycle script in your node_modules tree, disable dangerous ones by default, and catch malicious postinstall hooks before they execute.
PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.
setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, or runs Python code. Here is what to watch.
The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-driven decisions about open source dependency risk.
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
Weekly insights on software supply chain security, delivered to your inbox.